Email Masquerade Attacks: Exploiting Natural Language Generation

Email Masquerade Attacks: Exploiting Natural Language Generation

With the massive boom in Internet usage, overwhelming numbers of organizations and individuals have fallen prey to targeted attacks like pharming and phishing. The resulting digital identity theft causes personal and financial losses to unaware victims. Researchers have proposed an array of detection methods to counter such attacks. However, attackers have exploited cyber technologies to launch new sophisticated attacks to evade human and machine supervision. Detection algorithms and systems are commonly trained on attack patterns and historical data. Advanced attack vectors can trick these pre-trained classification and detection techniques.


It consists of imitating someone else’s identity and using legitimate sources to carry out cybercrimes using the victim’s credentials. This is primarily used for gaining unauthorized access to the organization’s networks or victim’s systems. Attackers send phishing emails to pose as legitimate sources and request the users to submit personal information.


Fraudulent emails may be constructed using various techniques perfected to create flawless deception. Though manually fine-tuning such emails guarantees a higher probability of a successful attack, it is time-consuming. Phishers look to automate launching effective and fast attack vectors. These techniques include spamming bulk mailing, including action words in a phishing email. But improved statistical detection models quickly detect them.

Email masquerading is a popular cyberattack technique where a scammer, after gaining access to an individual’s email, can study the content of the emails received or sent by the target. The attacker then synthesizes targeted malicious emails posing as a non-threatening email by incorporating features observed in the target’s emails. Such attacks have reduced the chances of being detected by an automated pre-trained classifier, thereby increasing the chances of a successful attack.

Email Features Monitored for Masquerade Attacks

How do masquerade attacks work?

Masquerade attack flows come in many sizes and shapes. A common and possible workflow:

  1. The attacker sends phishing SMS or emails to an organization. It could contain, for example, an apparent link to the organization’s IT portal, asking the employees to log in and confirm an update. In reality, the linked website is a spoofed site controlled by the attacker.

  2. After obtaining the victim’s credentials, the attacker logs into the network as that user. If the stolen credentials belong to the network admin, the attacker has unrestricted access and can even do a complete takeover of the network. Here, the attack is successful and ends. However, suppose the compromised credentials do not give the attacker sufficient permissions to get to their desired payload (malware that the threat actor intends to deliver to the victim). In that case, they might try a ‘pass the hash’ attack for further permissions.

  3. Now they scrape the compromised machine (for which the attacker already has the credentials) for any stored password hashes, which can be used to create a new legitimate session as that user without the need for the plain text credentials.

  4. The attacker then uses the stolen hashes to move laterally from account to account and device to device, scraping the hashes on each machine in the hopes of finding hashes that have high enough permissions to get them to their payload.

  5. With a bit of luck, the attacker eventually finds the System Administrator’s password hashes (or another high permissions account) and can get to their payload, which takes us back to step 2.


Natural Language Generation (NLG) is a subfield of Artificial Intelligence. It is a software process that can generate natural language text based on the context of input data. Masquerade attackers can thus collect email data from targets and feed it to NLG software. It will analyze this data and output similar written text with malicious content which is practically indistinguishable from a legitimate email- creating the perfect masquerade attack.

Highly sophisticated and trained NLG systems can generate text based on predefined grammar or leverage deep learning neural networks like RNN. This approach facilitates the machine to learn a model that imitates the input to the system. This system can then generate text that closely resembles the input structure. Therefore NLG systems become dangerous tools used by phishers. Innovative deep learning neural networks (DNNs) can generate rational sequences of text when trained on suitable textual content. Scientists have used such systems for generating textual content across a wide variety of genres – from tweets to poetry. Thus it is not long before phishers and spammers can use email datasets – legitimate and malicious – in conjunction with DNNs to generate deceptive, malicious emails. By masquerading the properties of a legitimate email, such carefully crafted emails can deceive pre-trained email detectors, thus making people and organizations vulnerable to phishing scams.

Risks of masquerade attacks

  • Data breaches (e.g. sensitive information such as customers list is sent to the threat actors outside the company)

  • Critical system files are modified (in an effort to gain unauthorized access)

  • Ransomware attacks

  • Identity theft (e.g. gain access to authentication credentials)

  • The network is taken offline

  • Users are locked out of their accounts

  • The download and installation of malware

  • Your organization’s proprietary or sensitive information is leaked

  • Internet traffic is rerouted to malicious sites

Real-world examples of masquerade attacks

  1. Tax phishing campaign – impersonation of US tax authorities which targeted accounting firms. The phishing emails contained URL and HTML attachments which took the victims to spoofed login pages. They were asked for their financial information while the page simultaneously collected their login data for subsequent unauthorized access. Immediately after, the victims are again redirected to the official site to prevent suspicion.

  2. Target Corporation was attacked- in 2013, the US-based department store chain Target Corporation fell victim to a data breach that affected over 40 million Target customers and compromised over 70 million records. The credentials of their HVAC (Heating, Ventilation, and Air Conditioning) associate, Fazio Mechanical Services, were stolen and used for gaining access to target web services. The hackers even came across a web vulnerability which they exploited. Then they used ‘pass the hash’ to impersonate the active directory administrator. Thus, they successfully stole customers’ payment card details and personal information.

How to defend against masquerade attacks

The defense against masquerade attacks depends on whether you’re an administrator or a user. For adequate protection, both the users and the administrators must keep masquerade attacks in mind while applying mitigation measures. Due to the nature of a masquerade attack, the symptoms it exhibits are far-reaching and could apply to other types of attacks.

Network administrators

1. Continuously monitor your networks

To detect masquerade attacks, you need to be aware of suspicious behavior. In this context, this means monitoring:

  • File hashes – If file names don’t match their hashes, the files may have been tampered with – a sign of a masquerade attack.

  • File locations – If files are correctly named but stored in the wrong location, it can signal tampering through a masquerade attack.

  • Logins and network locations –Are any logins occurring at unusual times? Are any unique network locations being accessed? All these signal a possible masquerade attack.

2. Using an AI-based Intrusion Detection System (IDS)

The examples above relate to suspicious behavioral patterns. But it is difficult for traditional IT defenses to identify suspicious behavior. If the user has the credentials to access specific files or locations, how could security software recognize it as a suspicious login? However, today we have sophisticated AI-powered tech to scan for and detect such events efficiently. With an AI-based IDS, you can teach a system, through machine learning, a baseline of normal network behavior. With some training, it will soon be able to detect outlier behavior.

3. Implement digital code-signing

This will prevent unauthorized software execution unless it is signed by a trusted entity, limiting the damage of an efficacious masquerade attack.

4. Limit user permissions as much as possible

Assign each user in your organization with the permissions required to work- implement the principle of least privileges. This will limit the damage of a successful masquerade attack.

5. Provide security awareness training

Security training for your staff will help mitigate both masquerade and other attacks. The training fosters secure habits within your organization and will limit many daily risks. Additionally, your team will be better prepared to deal with security events.


  1. Log out and reboot your computer –This will clear memory that could be used to compromise your machine.

  2. Use strong and complex passwords – Though obvious, this will be your first line of defense in any credential-based attack.

  3. Don’t open attachments in emails– First identify the sender and confirm that they sent you the email. Additionally, verify that the email contains an attachment and know what the attachment contains.

  4. Don’t click links (URLs) in emails– unless you know the sender, its destination, and proof that the sender is not being impersonated. Even then, scrutinize the link. Is it an HTTPS or an HTTP link? The majority of legitimate internet uses HTTPS. Lastly, check the link for incorrect spelling (facebooook or goggle?). If possible, get to the destination without using the link.

  5. Use an antivirus program – Only buy genuine and well-reviewed antivirus software from legitimate vendors. Keep it updated and regularly scan the system.

  6. Keep your operating system updated – OS updates contain the newest security patches. Install them as soon as they’re released.

  7. Use a firewall – All commercial routers on the market provide a built-in NAT firewall, and major operating systems have built-in incoming firewalls. Please enable them. They might protect your system if you click a malicious link.

  8. Don’t give in to “warning fatigue: Take your browser’s warning seriously incase of a warning while accessing a website. Get your information from a different source. If the link in question was received by SMS or email, it might be sending you to a malicious site to retrieve an infected file. Don’t disregard your computer’s warning prompts.

  9. Never click on pop-ups. Ever. You never know where they’ll take you.


Like other online attacks, email masquerading attacks can be challenging to detect because their main symptoms could indicate a multitude of things. The measures listed above will hopefully help you avoid them completely. At the very least, they’ll help you recover faster if you implement them.